User "Tim Starling" posted a comment on MediaWiki.r89252. Full URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/89252#c17887 Commit summary:
* MFT r89250. only the tableExists function ad 1.17 already supports user-dbname difference Comment: It's easier to add a $this->addQuotes() than to confirm that it is secure by following the data flow in every place where it is used and confirming that there's no way for user input to find its way into this function. That's why our security policy is to always escape, regardless of the data source. As for the release notes, I'm asking if there is some user-visible consequence of fixing tableExists(). For instance, does it avoid an error message on install or upgrade? _______________________________________________ MediaWiki-CodeReview mailing list mediawiki-coderev...@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
